Breaking into a Drupal Site - Everyone learns to be scared, devs learn to fix

This session will focus on using security vulnerabilities to break into a Drupal site.

We'll look at some of the most common vulnerability types and how to exploit them. My feeling is that if people don't know how to break into their site they won't know whether or not they are vulnerable (or whether they've fixed the vulnerabilities).

This session will be similar to previous sessions I've given on this topic including:

  • XSS: still the number one security issue in Drupal
  • CSRF: still common and hard-ish to fix (see also how to fix csrf in Drupal
  • SQL Injection and Access bypass, easy to fix, still common

with the added bonus of

  • A focus on how to exploit the vulnerabilities
  • Ben Jeavons playing question champion (monitoring irc backchannel and twitter)

So, be sure to bring your laptop with a test Drupal site running so that you can learn some basic tools to exploit vulnerabilities!

Audience

Portions of this presentation will be applicable to everyone because you will learn how to spot Cross Site Scripting (XSS), Cross Site Request Forgeries, access bypass, and SQL injection.

Portions of the presentation will be best for developers so you can know how to fix the weaknesses that everyone is finding in your modules and themes.

If you are interested in this session you may also be interested in Drupal Security - Configuration and Process

About Greg's Security experience

For several years now Greg has been working with the security team making the Drupal world more secure. A year ago he published Cracking Drupal. This spring he was a co-author with Ben Jeavons on the Drupal Security Report. And this past year he and Ben launched a service to provide Security Reviews for Drupal sites.

Day:
Sunday, 6/27
Time Slot:
9:15am - 10:15am
Room:
NC #1130 Growing Venture Solutions
Skill Level:
Intermediate
Track:
Development
Slides:

I attended this great seminar

I attended this great seminar and cannot find the notes...were they posted? Are they posted elsewhere? Thanks, Nini Welch (momgyver)